lodger has reported a weakness in Tor, which potentially can be exploited by malicious people to expose sensitive information. When building a circuit, Tor checks if an entry guard is exactly the same as an exit guard, but fails to check if they are also part of the same family. This may weaken the Tor security concept and could make it easier to launch certain attacks. The weakness is reported in versions prior to 0.1.2.14. Solution: Update to version 0.1.2.14.
setting status and cc'ing maintainer. Gustavo, please advise and bump as necessary.
*** Bug 180152 has been marked as a duplicate of this bug. ***
Simply renaming the old 0.1.2.13 ebuild to 0.1.2.14 worked well enough for me; compiled all right and seems to be running fine so far.
I bumped and fixed another issue that happened with logrotate. Sec team should probably push for a stable 0.1.2.14 so that older versions can be removed from the tree.
Thanks Gustavo. Arches, please test and mark stable. target keywords are: tor-0.1.2.14.ebuild:KEYWORDS="amd64 ppc ppc64 sparc x86 ~x86-fbsd"
1. emerges on x86 2. passes test suite 3. passes collision test 4. works Mirror problem: >>> Emerging (1 of 1) net-misc/tor-0.1.2.14 to / >>> Downloading 'http://distfiles.gentoo.org/distfiles/tor-0.1.2.14.tar.gz' --14:01:46-- http://distfiles.gentoo.org/distfiles/tor-0.1.2.14.tar.gz => `/usr/portage/distfiles/tor-0.1.2.14.tar.gz' Resolving distfiles.gentoo.org... 64.50.238.52, 64.50.236.52, 216.165.129.135, ... Connecting to distfiles.gentoo.org|64.50.238.52|:80... connected. HTTP request sent, awaiting response... 404 Not Found 14:01:46 ERROR 404: Not Found. >>> Downloading 'http://distro.ibiblio.org/pub/linux/distributions/gentoo/distfiles/tor-0.1.2.14.tar.gz' --14:01:46-- http://distro.ibiblio.org/pub/linux/distributions/gentoo/distfiles/tor-0.1.2.14.tar.gz => `/usr/portage/distfiles/tor-0.1.2.14.tar.gz' Resolving distro.ibiblio.org... 152.46.7.109 Connecting to distro.ibiblio.org|152.46.7.109|:80... connected. HTTP request sent, awaiting response... 404 Not Found 14:01:48 ERROR 404: Not Found. >>> Downloading 'http://tor.eff.org/dist/tor-0.1.2.14.tar.gz' --14:06:25-- http://tor.eff.org/dist/tor-0.1.2.14.tar.gz => `/usr/portage/distfiles/tor-0.1.2.14.tar.gz' Resolving tor.eff.org... 209.237.230.67 Connecting to tor.eff.org|209.237.230.67|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1,225,040 (1.2M) [application/x-tar] 100%[========================================================================>] 1,225,040 134.96K/s ETA 00:00 14:06:35 (126.77 KB/s) - `/usr/portage/distfiles/tor-0.1.2.14.tar.gz' saved [1225040/1225040] Portage 2.1.2.7 (default-linux/x86/2006.1, gcc-4.1.2, glibc-2.5-r3, 2.6.17-gentoo-r8-panic i686) ================================================================= System uname: 2.6.17-gentoo-r8-panic i686 Intel(R) Pentium(R) M processor 2.00GHz Gentoo Base System release 1.12.9 Timestamp of tree: Thu, 31 May 2007 10:30:08 +0000 ccache version 2.4 [disabled] dev-java/java-config: 1.3.7, 2.0.32 dev-lang/python: 2.4.4-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.4-r7 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O3 -march=pentium-m -msse2 -mmmx -msse -mfpmath=sse -fomit-frame-pointer -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-O3 -march=pentium-m -msse2 -mmmx -msse -mfpmath=sse -fomit-frame-pointer -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict userfetch userpriv usersandbox" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LANG="it_IT.UTF-8" LC_ALL="it_IT UTF-8" LINGUAS="it" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/portage/local/layman/drizzt-overlay /usr/portage/local/layman/webapps-experimental /usr/portage/local/layman/sunrise" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X a52 aac acpi adns alsa apache arts asf ati avi bash-completion beagle berkdb bitmap-fonts browserplugin bzip2 cairo caps cdr cli cracklib crd crypt cups curl daap dbus dga djvu dmi dri dts dvd dvdr dvi emacs evo exif fbcon ffmpeg firefox flac foomatic fortran gdbm gif gimpprint glitz gnome gnutls gpm gtk hal i810 iconv imagemagick intel ipod ipv6 isdnlog java jpeg kde libg++ libnotify libsexy lns mad midi mmap mmx mng mono mozilla moznocompose moznoirc moznomail mozsvg mp3 mp4 mpeg mudflap musepack nautilus ncurses network njb nls nptl nptlonly nsplugin numeric ogg ole opengl openmp openntpd oss pam pcre pdf perl php png portaudio posix ppds pppd pwdb python qt qt3 radeon readline real reflection samba sdl session sndfile spl sse sse2 ssl svg t1lib tcpd theora threads truetype-fonts type1-fonts unicode usb v4l vcd vorbis win32codecs wma wmf wmv wxwindows x264 x86 xine xml2 xorg xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="it" USERLAND="GNU" VIDEO_CARDS="vesa i810 vga" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS For me Stable in x86
(In reply to comment #6) > Mirror problem: [...] This should go away soon. > For me Stable in x86 Me, too. Thanks for testing. x86 done.
sparc stable.
ppc64 done
amd64 stable
stable on ppc
This one is ready for GLSA decision. I tend to vote NO.
another NO.
